----- Original Message -----
From: "Sumit Bose" <sbose(a)redhat.com>
To: sssd-devel(a)lists.fedorahosted.org
Sent: Friday, 17 July, 2015 9:01:49 PM
Subject: Re: [SSSD] [PATCHES] Add support for Smartcard authentication
On Fri, Jul 10, 2015 at 06:40:30PM +0200, Sumit Bose wrote:
> Hi,
>
> this is the initial version of my patch which add Smartcard
> authentication to SSSD. I'm still working on a design page which will
> explain everything in more details so I will only add a short version
> here.
>
> The main job will be done by a new child process called p11_child. Since
> the Smartcard support in GDM is based on NSS I used NSS for the first
> version of p11_child as well. But since all PKCS#11 (API to talk to
> Smartcards) related code is in this child process adding support for
> other PKCS#11 frameworks like p11-kit would be straight forward (in fact
> I already started on the p11-kit version). Using NSS here means you have
> to add the PKCS#11 module for your Smartcards reader to /etc/pki/nssdb
> (the NSS DB GDM uses as well) with modutil or pk11install from the
> coolkey package.
>
> The PAM configuration so far must not be changed. pam_sss will do a
> pre-auth request similar to the OPT case for find a suitable
> authentication method for the user. The pam responder then checks is
> Smartcard authentication is enabled (pam_cert_auth = True in the [pam]
> section of sssd.conf), if the service is a local one and if there if a
> valid certificate can be found which is available in the users LDAP
> entry as well. If all this checks pass pam_sss will ask the user for a
> PIN and then SSSD tries to validate that PIN, public and private keys
> all relate to each other. If no Smartcard is found for the user the
> standard password prompt is displayed.
>
> With some valuable input form Christian Heimes I think I found a way to
> test the Smartcard support even without real hardware but I still have
> to work out some of the details. I will add instructions to the design
> page and better and more unit tests.
>
> Any comments and suggestions are welcome.
Please find attached an improved version of the patches.
One quick nit in b/src/responder/pam/pamsrv.h:
-- snip --
int public_domains_count;
+
+ bool cert_auth;
+ int p11_child_debug_fd;
-- snip --
Typically |int| is 32bit and |bool| is one byte, so we end-up with a 3byte pad here for no
good reason. Better would be this order:
-- snip --
-- snip --
int public_domains_count;
+
+ int p11_child_debug_fd;
+ bool cert_auth;
-- snip --
(same applies to |struct pam_check_cert_state| with 64bit pointers vs. |int|)
Question:
In src/p11_child/p11_child_nss.c |PK11_SetPasswordFunc(password_passthrough)| uses memory
from |PL_strdup()| - who is freeing that memory (|PL_free()|) ?
Especially
there are improvements to the test, the return values from the p11_child
are not mocked used the actual retrieved certificate data. The test data
causes some increase in the patch size. I plan to replace this with data
which is generate during the test run but for a start it is easier this
way.
I also added a 7th patch which should resolve
https://fedorahosted.org/sssd/ticket/2711 (SSH with certificates).
Strictly it is not related to Smartcard authentication via PAM but it
depends on the NSS version of the cert utilities (patch 0001) so I
included it here as well.
On the design page I added the 'How to test' section
https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep...
which hopefully gives sufficient details how to set up a test
environment.
Is there any development branch I can use to checkout and build these changes in one step
? It'll make testing of future versions a tick easier...
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) rmainz(a)redhat.com
\__\/\/__/ IPA/Kerberos5 team
/O /==\ O\
(;O/ \/ \O;)